trivy-scan-dispatch #956
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## | |
# This action runs Trivy container and repository vulnerability | |
# scanner for Docker images and filesystem. | |
## | |
name: trivy-security-scan | |
on: | |
repository_dispatch: | |
types: [trivy-scan-dispatch] | |
jobs: | |
trivy_scan: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
security-events: write | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
# Image availability check with retry logic | |
- name: Check Docker image availability with retry | |
id: check-image | |
if: github.event.client_payload.image != '' | |
run: | | |
image="${{ github.event.client_payload.image }}" | |
interval=300 | |
retry_limit=5 | |
attempt=0 | |
while ! docker pull $image; do | |
attempt=$((attempt + 1)) | |
if [ "$attempt" -gt "$retry_limit" ]; then | |
echo "::error::Image $image is not available after $retry_limit attempts." | |
exit 1 | |
fi | |
echo "Waiting for $image to be available. Attempt $attempt/$retry_limit. Retrying in $interval seconds..." | |
sleep $interval | |
done | |
echo "Image $image is now available." | |
# Image scanning | |
- name: Run Trivy vulnerability scanner on image | |
if: github.event.client_payload.image != '' | |
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 | |
with: | |
image-ref: ${{ github.event.client_payload.image }} | |
cache: 'true' | |
format: "sarif" | |
output: "trivy-image-results.sarif" | |
exit-code: "1" | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
severity: "CRITICAL,HIGH" | |
env: | |
TRIVY_CACHE_DIR: .cache/trivy | |
TRIVY_SKIP_DB_UPDATE: true | |
TRIVY_SKIP_JAVA_DB_UPDATE: true | |
# Upload image scan results | |
- name: Upload Trivy image scan results | |
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 | |
with: | |
sarif_file: "trivy-image-results.sarif" | |
category: trivy-image | |
# Filesystem scanning | |
- name: Run Trivy filesystem scan | |
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 | |
with: | |
scan-type: 'fs' | |
cache: 'true' | |
format: 'sarif' | |
output: 'trivy-fs-results.sarif' | |
severity: 'CRITICAL,HIGH' | |
ignore-unfixed: true | |
env: | |
TRIVY_CACHE_DIR: .cache/trivy | |
TRIVY_SKIP_DB_UPDATE: true | |
TRIVY_SKIP_JAVA_DB_UPDATE: true | |
# Upload filesystem scan results | |
- name: Upload Trivy filesystem scan results | |
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 | |
with: | |
sarif_file: 'trivy-fs-results.sarif' | |
category: trivy-fs |